feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 21:56:10 +02:00 · 2026-04-09 21:56:10 +02:00 · f418a8fe08
commit f418a8fe08
parent 901bf0ae12
169 changed files with 37631 additions and 0 deletions
--- a/plugins/llm-security-copilot/templates/archive/pre-deploy-report.md
+++ b/plugins/llm-security-copilot/templates/archive/pre-deploy-report.md
@ -0,0 +1,125 @@
+# Pre-Deployment Security Checklist
+
+<!--
+TEMPLATE USAGE
+This is a reference document describing the expected output structure for `/security pre-deploy`.
+Agents use this as a formatting guide for the pre-deployment checklist report.
+Fill every section with real observations. Do NOT output placeholder text.
+Run all 10 automated checks first, then ask the 3 manual verification questions.
+State the verdict clearly at the end based on the PASS count.
+-->
+
+---
+
+## Header
+
+**Project:** [Name of the project or directory assessed]
+**Assessment date:** [ISO 8601 — e.g. 2026-02-19]
+**Assessed by:** llm-security plugin v[X.X] — pre-deploy checklist
+**Mode:** Pre-deployment checklist
+
+---
+
+## Score Summary
+
+**Passed: X/10 automated checks**
+
+```
+[========--] 8/10
+```
+
+**Verdict:** [Ready for deployment / Nearly ready / Not ready]
+
+---
+
+## Automated Checks
+
+Status values: PASS — control confirmed | FAIL — control absent or broken | WARN — partial or unverified | N/A — not applicable
+
+| # | Check | Status | Detail |
+|---|-------|--------|--------|
+| 1 | Deny-first permissions | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 2 | Secrets hook active | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 3 | Path guard active | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 4 | Destructive command guard | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 5 | MCP servers verified | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 6 | No hardcoded secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 7 | .gitignore covers secrets | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 8 | CLAUDE.md security docs | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 9 | Sandbox enabled | [PASS/FAIL/WARN/N/A] | [finding detail] |
+| 10 | Audit logging configured | [PASS/FAIL/WARN/N/A] | [finding detail] |
+
+---
+
+## Manual Verification
+
+Answers provided by the user during the assessment session.
+
+- [ ] **Enterprise plan:** [user answer]
+- [ ] **DPIA completed:** [user answer]
+- [ ] **Incident response plan:** [user answer]
+
+---
+
+## Recommendations
+
+FAIL items are listed first (blocking), followed by WARN items (advisory). Items with PASS or N/A status are omitted.
+
+| Priority | Check # | Action | Effort |
+|----------|---------|--------|--------|
+| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
+| FAIL | [#] | [Specific remediation step for the failed check] | [Low / Medium / High] |
+| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |
+| WARN | [#] | [Specific remediation step for the warned check] | [Low / Medium / High] |
+
+> If no FAIL or WARN items exist, write: "No recommendations — all automated checks passed."
+
+---
+
+## Verdict
+
+**[Ready for deployment / Nearly ready / Not ready]**
+
+- **10/10 PASS:** Ready for deployment — all automated checks passed.
+- **7–9 PASS:** Nearly ready — address the remaining items before deploying.
+- **<7 PASS:** Not ready — significant security gaps remain. Resolve FAIL items before deployment.
+
+---
+
+## Footer
+
+| Field | Value |
+|-------|-------|
+| llm-security version | [e.g. 0.1.0] |
+| Assessment engine | pre-deploy checklist |
+| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
+| Full audit command | `/security audit` |
+| Report generated | [ISO 8601 timestamp] |
+
+---
+
+<!--
+SCORING LOGIC (for agents filling in this template)
+
+Score = count of checks with status PASS only.
+WARN and N/A do not count as PASS for scoring purposes.
+FAIL counts against the score.
+
+Progress bar fill = round((pass_count / 10) * 10) filled blocks out of 10
+Example: 8 PASS → round((8/10) * 10) = 8 filled blocks → [========--]
+Filled block: =   Empty block: -
+
+Verdict thresholds:
+  10/10 PASS  → "Ready for deployment — all automated checks passed."
+  7–9 PASS    → "Nearly ready — address the remaining items before deploying."
+  <7 PASS     → "Not ready — significant security gaps remain. Resolve FAIL items before deployment."
+
+RECOMMENDATIONS SORTING
+List FAIL items before WARN items, in ascending check number order within each group.
+Omit PASS and N/A checks from the recommendations table entirely.
+Each row must have a specific, actionable remediation step — not a generic instruction.
+
+MANUAL VERIFICATION
+Ask questions one at a time using AskUserQuestion.
+Mark checkbox as checked [x] if user confirms yes; leave unchecked [ ] if no or unsure.
+-->